4. For Example: Return-Oriented
Programming
virtual memory
heap
high
low
code
ADD gadget ret
LOAD gadget ret
stack
ADD gadget Addr
LOAD gadget AddrSP
• Finite state machine
• SP (read head) + ret
• Program
• LOAD gadget ret
6. László Szekeres, etc., “Eternal War in Memory”
Stack overflow Use-After-Free 不只
ROP
沒畫到SMEP
7. Modify a Code Pointer …
• Code pointer
– Stack overflow modifies EIP. Once ret instruction
is used, the execution flow is redirected.
– Heap overflow modifies function pointer with an
address that points to stack pivot gadget. Once
the overwritten function pointer is used by the
application, the execution flow is redirected.
– Enrique Nissim, etc.,Windows SMEP Bypass U=S
(!)
– …
8. Just-In-Time ROP
Kevin Z. Snow, etc., “Just-In-Time Code Reuse: On the Effectiveness of
Fine-Grained Address Space Layout Randomization”
ROP
ASLR
ASLR
23. • The data consumed by the interpreter is
inherently under the remote attacker’s control
• For example, all local variables are under the
control of attackers using stack overflow
The Concept of Data-oriented
Programming
Vulnerable FTP server with data-oriented gadgets
24. Data-oriented Programming
a data-oriented gadget simulates
three logical micro-operations
• the load micro-operation
• the intended virtual operation’s
semantics
• store micro-operation.
The Evil interpreter
data-oriented gadget of assignment operation
灰色部分代表需要在記憶體中
*Runtime disassembler
*Runtime gadget finder
*Just-in-time TOP compiler
goto h(A), is used to invoke the functional gadget
f(A) -> A, which can redirect A to point to the next item of dispatch table. For example, f can be A=A+4, or a dereference operation A=*(A+8)
The main idea of CFI is to derive an application’s control-flow graph (CFG) prior to execution, and then monitor indirect branches to ensure that the control flows follow a legitimate path of the CFG
Shadow stack is a run-time mechanism for checking that functions return to their caller
In this way, the control flows between loop gadget and functional gadgets strictly follow the process of call-retpairing
selector
* FSM’s Read head (上圖的*type)
* Link gadgets
(上述兩項,用memory corrupt達成)
補充Link gadgets :
Addresses of load/store micro-operations are corruptible by mem-err to meet that gadget I‘’s output and gadget i+1’s input have same address. 除了這個也可以 兩個gadget想要link中間塞個 assignment gadget 讓that gadget I‘’s output and gadget i+1’s input有不同的位置但值一樣。
=>
Each iteration executes a subset of gadgets using outputs from gadgets in the previous iteration. To direct the outputs of one gadget in iteration i into the inputs to a gadget in iteration i+1, the selector changes the load address of iteration i+1 to the store addresses of iteration i. The selector’s behavior is controlled by attackers through the memory error.
The selector on line 7(p.19 code) is the memory error itself, which repeatedly corrupts the local variables to setup the execution of gadgets in that iteration. The corruption is done in a way that it enables only the gadgets of the attacker’s choice. These gadgets take as input the outputs of the previous round’s gadget by selectively corrupting operand pointers. The remaining gadgets may still get executed, but their inputs and outputs are set up such that they behave like NOPs (operating on unused memory locations). 灰色gadget。